0

I have a 3 nodes Kafka cluster. I have enabled SASL_PLAINTEXT and it is working fine with Port 6667. Now I want o enable SSL for different Port in the same cluster. I have enabled the trustore and Keystore certificates. and I did below configuration from the broker side.

listeners : SSL://localhost:6668
security.inter.broker.protocol : SSL
ssl.key.password : xxxx
ssl.keystore.location : /root/kafka.server.keystore.jks
ssl.keystore.password   : xxxxx
ssl.truststore.location   : /root/kafka.server.truststore.jks
ssl.truststore.password   : xxxxxx
ssl.keystore.type : JKS
ssl.truststore.type : JKS

I Have given permission also. I am getting below errors

Caused by: org.apache.kafka.common.KafkaException: org.apache.kafka.common.KafkaException: Failed to load SSL keystore /root/kafka.server.keystore.jks of type JKS

Caused by: org.apache.kafka.common.KafkaException: Failed to load SSL keystore /root/kafka.server.keystore.jks of type JKS

Caused by: java.io.FileNotFoundException: /root/kafka.server.keystore.jks (Permission denied)
OneCricketeer
  • 179,855
  • 19
  • 132
  • 245
satish pujara
  • 219
  • 1
  • 11

2 Answers2

0

Caused by: java.io.FileNotFoundException: /root/kafka.server.keystore.jks (Permission denied)

The error trace is fairly clear. /root/kafka.server.keystore.jks cannot be accessed by the process. Note that the process typically runs on a different user and I suspect that the keystore has been created by a different user.

Make sure that the user that is running the process has sufficient access rights for reading /root/kafka.server.keystore.jks. One way of achieving this is to change the ownership of the file: 

sudo chown -R userWhoRunsTheProcess:userGroup /root/kafka.server.keystore.jks
Giorgos Myrianthous
  • 36,235
  • 20
  • 134
  • 156
  • I have given correct permissions its connecting now from the Kafka tool. While doing console producer and consumer I am getting below error Connection to node -1 failed authentication due to: SSL handshake failed – satish pujara Mar 17 '20 at 13:33
  • To verify if the server’s Keystore and truststore are set up correctly you can run the following command: OpenSSL s_client -debug -connect xxxx:6668 -tls1. it's verified. – satish pujara Mar 17 '20 at 13:36
  • I have added below mentioned points in producer.properties file security.protocol=SSL ssl.truststore.type=JKS ssl.truststore.location=/opt/ssl/kafka.server.truststore.jks ssl.truststore.password=xxxxxx ssl.keystore.location=/opt/ssl/kafka.server.keystore.jks ssl.keystore.password=xxxxxx ssl.key.password=xxxxxx – satish pujara Mar 17 '20 at 13:37
0

Regarding the question, listeners takes a list of addresses,

listeners : SSL://0.0.0.0:6668,SASL_PLAINTEXT://0.0.0.0;6667

You already have sasl, so I would suggest using sasl_ssl

OneCricketeer
  • 179,855
  • 19
  • 132
  • 245